Monthly Archives: January 2015

Charles Leaver – Ziften’s Lightweight Approach To Endpoint Security Is The Right Way

Charles Leaver Ziften CEO Presents A Post By CTO David Shefter

If you are an organization with 5000 or more workers, it is likely that your IT Security and Operations groups are overwhelmed with the degree of data they need to sift through for just a small amount of visibility about what their user community is doing on a repetitive basis. Antivirus suites have actually been implemented and they have actually shut off USB ports as well as imposed user access constraints, but the threat of cyber attacks and malware infestations still exists. What action do you take?

As much as 72% of advance malware and cyber criminal invasions take place in the endpoint environment, so says a Verizon Data Breach Report. Your business has to ask itself how essential its credibility is first. If you take Target as an example, it cost them over $ 6 Billion in market cap loss because of a malware infiltration. Regrettably the modern-day world places us continuously under attack from dissatisfied or rogue staff members, anarchists and other cyber lawbreakers. This situation is just likely to get worse.

Your network is protected by a firewall program etc however you are unable to see exactly what is occurring past the network switch port. The only real method to address this threat is by implementing a solution that works well with and compliments existing network based solutions that you have. Ziften (which is Dutch for “To Sift”) can provide this solution which offers “Open Visibility” with a lightweight method. You have to handle the entire environment which includes servers, the network, desktops and so on. However you do not wish to place additional overheads and tension on your network. A substantial Ziften commitment is that the solution will not have a negative effect on your environment, however it will supply a deeply impactful visibility and security solution.

The innovative software from Ziften completely understands machine behavior and irregularities, enabling experts to focus on advanced threats faster to decrease dwell time to a minimum. Ziften’s solution will constantly monitor activity at the endpoint, resource consumption, IP connections, user interactions and so on. With the Ziften solution your company will have the ability to identify faster the root cause of any intrusion and repair the issue.

It is a light-weight solution that is not kernel or driver based, minimal memory usage, there is little to no overhead at the system level and almost zero network traffic.

For driver and kernel based solutions there are extreme accreditation requirements that can take longer than 9 months. By the time the brand-new software is developed and baked, the OS could be at the next version of release. This is a time consuming, non-supportable and cumbersome process.

The Ziften technique is a genuine differentiator in the market. The execution of an extremely light weight and non invasive agent as well as implementing this as a system service, it gets rid of the tensions that many new software solutions introduce at the endpoint. Ease of execution leads to faster times to market, easy support, scalability, and simple solutions that do not hinder the user environment.

To summarize, with the present level of cyber risks and the risks of a cyber attack increasing every day that can significantly stain your reputation, you need to implement constant monitoring of all your endpoint gadgets 24/7 to make sure that you have clear visibility of any endpoint security threats, gaps, or instabilities and Ziften can deliver this to you.

 

 

 

 

 

 

 

 

Five Items For Cyber Readiness That You Must Implement – Charles Leaver

Presented by Charles Leaver, Chief Executive Officer Ziften Technologies – Written By Dr Al Hartmann

1. Security Operations Center (SOC).

You have a Security Operations Center established that has 24/7 coverage either in house or outsourced or a combination. You do not want any spaces in cover that might leave you open to infiltration. Handovers need to be formalized by watch supervisors, and appropriate handover reports supplied. The manager will offer a summary daily, which details any attack detections and defense countermeasures. If possible the cyber crooks must be determined and distinguished by C2 infrastructure, attack methodology etc and codenames given to these. You are not trying to associate attacks here as this would be too difficult, however just noting any attack activity patterns that associate with various cyber bad guys. It is important that your SOC familiarizes themselves with these patterns and be able to differentiate attackers or perhaps find new assailants.

2. Security Supplier Support Readiness.

It is not possible for your security staff members to understand about all elements of cyber security, nor have visibility of attacks on other organizations in the exact same market. You have to have external security assistance groups on standby which could include the following:.

( i) Emergency situation response group assistance: This is a list of suppliers that will respond to the most severe of cyber attacks that are headline material. You should guarantee that a single one of these vendors is ready for a significant risk, and they need to receive your cyber security reports regularly. They should have legal forensic capabilities and have working relationships with legal authorities.

( ii) Cyber risk intelligence assistance: This is a supplier that is gathering cyber hazard intelligence in your sector, so that you can take the lead when it pertains to risks that are developing in your sector. This team needs to be plugged into the dark net trying to find any indications of you organizational IP being mentioned or talks between hackers discussing your organization.

( iii) IoC and Blacklist assistance: Due to the fact that this includes several areas you will need several vendors. This consists of domain blacklists, SHA1 or MD5 blacklists, IP blacklists, and signs of compromise (suspect config settings, registry keys and file paths, etc). It is possible that some of your installed security products for network or endpoint security can provide these, or you can designate a 3rd party specialist.

( iv) Support for reverse engineering: A supplier that concentrates on the analysis of binary samples and provides in-depth reports of content and any potential threat and also the family of malware. Your existing security suppliers might provide this service and specialize in reverse engineering.

( v) Public relations and legal assistance: If you were to suffer a significant breach then you have to make sure that public relations and legal assistance are in place so that your CEO, CIO and CISO don’t end up being a case study for those studying at Harvard Business School to learn more about how not to handle a major cyber attack.

3. Inventory of your assets, category and readiness for security.

You need to make sure that of your cyber assets undergo an inventory, their relative values classified, and implemented value suitable cyber defences have been enacted for each asset category. Do not rely entirely on the assets that are known by the IT team, get a business system sponsor for asset identification specifically those hidden in the public cloud. Also guarantee essential management processes remain in place.

4. Attack detection and diversion readiness.

For each one of the major asset classifications you can create replicas utilizing honeypot servers to draw cyber crooks to attack them and reveal their attack techniques. When Sony was infiltrated the hackers discovered a domain server that had actually a file named ‘passwords.xlsx’ which contained cleartext passwords for the servers of the company. This was an excellent ploy and you must utilize these methods in tempting places and alarm them so that when they are accessed alarms will sound instantly implying that you have an immediate attack intelligence system in place. Modify these lures often so that they appear active and it does not appear like an obvious trap. As many servers are virtual, hackers will not be as prepared with sandbox evasion techniques, as they would with client endpoints, so you may be fortunate and actually see the attack happening.

5. Monitoring readiness and continuous visibilities.

Network and endpoint activity should be kept track of continuously and be made visible to the SOC team. Because a lot of client endpoints are mobile and for that reason outside of the organization firewall, activity at these endpoints need to likewise be monitored. The tracking of endpoints is the only particular method to perform process attribution for monitored network traffic, since protocol fingerprinting at the network level can not constantly be relied upon (it can be spoofed by cyber bad guys). Data that has been monitored should be conserved and archived for future referral, as a number of attacks can not be identified in real time. There will be a requirement to rely upon metadata more frequently than on the capture of full packets, because that enforces a significant collection overhead. However, a number of dynamic risk based monitoring controls can lead to a low collection overhead, and also respond to significant threats with more granular observations.